[Snort-users] Securing a Snort machine
mkettler at ...4108...
Thu Apr 17 08:47:30 EDT 2003
At 03:36 PM 4/17/2003 +1000, Elvira_Byrnes at ...8560... wrote:
>Thanks a lot for your suggestions. What is the proper way to configure an
>IPless interface on the RedHat? Is it safe to run Webmin on that box?
>Thanks a lot.
Webmin always carries a small degree of risk, since it is a powerful tool
and is network accessible. If you do run it, make SURE that it's only bound
to an "inside" interface and make sure that your firewall will NOT allow
the internet to talk to the IP of that interface. As long as it's running
only on an inside interface that's protected by a firewall it should be
safe, but you are depending on the firewall.
Also, one suggestion that (shockingly) nobody on the list mentioned:
It's generaly a wise idea to chroot and setuid your copy of snort. This
will make it harder to exploit the machine should snort itself contain a
buffer overflow (ie: like the rpc_decode bug). This is relatively easy to
do, but does involve building the directories for a chroot jail.
1) make a /home/snort or something of the sort.
2) under it create some directories (note that var needs to be chowned such
that the user snort runs as can access it. In this example I'm using the
user nobody, but you can create a special "snort" user. )
drwxr-xr-x 2 root root 512 Apr 14 17:25 dev
drwxr-xr-x 2 root root 512 Dec 19 21:55 etc
drwxr-xr-x 2 root root 1536 Dec 19 16:56 rules
drwxr-xr-x 2 root root 512 Dec 19 18:13 sbin
drwxr-xr-x 4 nobody root 512 Dec 19 20:33 var
under var make a log directory
drwxr-xr-x 3 nobody root 512 Dec 19 16:58 log
and under log make a snort directory:
drwxr-x--- 2 nobody root 1024 Apr 17 01:30 snort
Note I've also made that directory chmod 750 to prevent non-root users
other than nobody
3) make some entries in dev (note: mknod commands assume linux, these
values are different on BSD's)
mknod null c 1 3
mknod zero c 1 5
4) setup syslog to have a log point within the chroot
edit /etc/sysconfig/syslog such that SYSLOGD_OPTIONS contains "-a
service syslog restart
5) copy your rules into the rules directory of the chroot, and your
snort.conf into it's etc. also copy snort to the chroot's sbin.
6) make a simple script to start snort with chroot: (modify it to taste)
/home/snort/sbin/snort -c etc/snort-spade.conf -t /home/snort -l
/var/log/snort -u nobody -i eth0 -D
More information about the Snort-users